So far the Federal Bureau of Investigations (FBI) hasn’t given any specific details on how it was able to access the data on Farook’s phone. But agency’s director did divulge a bit of information regarding the scope of the method:
The FBI’s new method for unlocking iPhones won’t work on most models, FBI Director Comey said in a speech last night at Kenyon University. “It’s a bit of a technological corner case, because the world has moved on to sixes,” Comey said, describing the bug in response to a question. “This doesn’t work on sixes, doesn’t work on a 5s. So we have a tool that works on a narrow slice of phones.” He continued, “I can never be completely confident, but I’m pretty confident about that.” The exchange can be found at 52:30 in the video above.
Since he specifically mentioned the iPhone 5S, 6, and 6S it’s possible the Secure Enclave feature present in those phones thwarts the exploit. This does make sense assuming the FBI used a method to brute force the password. On the iPhone 5C the user password is combined with a hardware key to decrypt the phone’s storage. Farook used a four digit numerical password, which means there were only 10,000 possible passwords. With such a small pool of possible passwords it would have been trivial to bruce force the correct one. What stood in the way were two iOS security features. The first is a delay between entering passwords that increases with each incorrect password. The second is a feature that erases the decryption keys — which effectively renders all data stored on the phone useless — after 10 incorrect passwords have been entered.
On the 5C these features are implemented entirely in software. If an attacker can bypass the software and combine passwords with the hardware key they can try as many passwords they want without any artificial delay and prevent the decryption keys from being erased. On the iPhone 5S, 6, and 6S the Secure Enclave coprocessor handles all cryptographic operations, including enforcing a delay between incorrect passwords. Although this is entirely speculation, I’m guessing the FBI found a way to bypass the software security features on Farook’s phone and the method wouldn’t work on any device utilizing Secure Enclave.
Even though Secure Enclave makes four digit numerical passwords safer they’re still dependent on outside security measures to protect against bruce force attacks. I encourage everybody to set a complex password on their phone. On iPhones equipped with Touch ID this is a simple matter to do since you only have to enter your password after rebooting the phone or after not unlocking your phone for 48 hours. Besides those cases you can use your fingerprint to unlock the phone (just make sure you reboot the phone, which you can do at anytime by holding the power and home buttons down for a few seconds, if you interact with law enforcement so they can’t force you to unlock the phone with your fingerprint). With a strong password brute force attacks become unfeasible even if the software or hardware security enhancements are bypassed.
Yup. With physical access to the hardware, any hardware lock can be defeated – it’s not too hard for me to imagine that gov has access to stuff that could selectively disable something like the key self-destruct in the Secure Enclave coprocessor, as well as extract the hardware key, although this would be labour-intensive enough to still make such hardware locking well worthwhile. But I don’t believe, propaganda to the contrary notwithstanding, that NSA has a monopoly, or even a significant oligopoly on smart cryptographers, and if there were any way to break the stronger modern ciphers by means other than brute force (in the context of a phone, there likely wouldn’t be enough known plaintext / ciphertext available for other approaches anyway) it would probably have been found by now.
A strong password need not be an unmemorizable hash of random characters, either. Even assuming just a 10,000 word dictionary of 8 letter or less words, five such words all in lower case with no spaces yields a search space of 10^20, which, by Snowden’s criteria of “a trillion guesses a second” is more than 3 years. Throw in a few upper case and / or special characters (or even just variable spacing) and don’t use an obvious or published phrase, and you’ve got a very secure password that isn’t that difficult to remember and type.